Anonymous Access - Is it safe?
Posted on 2014-02-05
I'm involved in a debate over the safety of allowing internal anonymous (read only) access to a SharePoint 2010 (Enterprise) WCM site.
They have 2 main SharePoint areas, one WCM and the other Collaboration. SharePoint is only accessible within the company network. Authentication is NTLM against 3 trusted domains. Due to corporate aquisitions there are a few hundred employees currently on non-trusted domains.
It's been proposed that we enable anonymous access on the WCM site so all employees can see company announcements. However there's a big push-back against this for 'security reasons'. Nothing specific, just a feeling that opening access somehow opens the collaboration site and other data to attack.
(I will also mention, Federated Services has been considered as an alternative access method for our extra users, but the hardware and configuration requirements are very tight for our timescales.)
Considering that access is only possible from within the company network, there is intrusion detection software configured on all requests to SharePoint, access is read only etc, am I missing something? Should anonymous access to non-sensitive data (admittedly in the same farm as sensitive data) be of major concern to anyone?